CCNA Dev AWS Services Questions

75 of 518 questions · Page 3/7 · Dev AWS Services topic · Answers revealed

151
MCQeasy

A developer is building an AWS Lambda function that needs to retrieve a database password securely. The password is stored in AWS Secrets Manager and is rotated every 30 days. The function must minimize the number of API calls to Secrets Manager. Which approach should the developer use?

A.Store the database password as an encrypted environment variable in the Lambda function.
B.Call Secrets Manager on every invocation to get the latest secret.
C.Retrieve the secret from Secrets Manager once outside the handler function, cache it in a global variable, and refresh the cache if the secret fails.
D.Use AWS Systems Manager Parameter Store SecureString instead of Secrets Manager.
AnswerC

Caching the secret in the global scope allows reuse across invocations within the same execution environment. If the secret is rotated, the cache can be refreshed when the cached secret fails to authenticate.

Why this answer

Option C is correct because it retrieves the secret once during the Lambda cold start (outside the handler), caches it in a global variable, and only refreshes the cache if the secret fails (e.g., due to rotation). This minimizes API calls to Secrets Manager while still handling secret rotation gracefully, as the cached secret remains valid until a failure occurs.

Exam trap

The trap here is that candidates assume 'minimize API calls' means never calling Secrets Manager again, but the correct approach allows a single call per cold start with a fallback refresh on failure, not zero calls forever.

How to eliminate wrong answers

Option A is wrong because storing the password as an encrypted environment variable does not support automatic rotation—the value is static until the function is redeployed, violating the requirement that the password is rotated every 30 days. Option B is wrong because calling Secrets Manager on every invocation maximizes API calls, incurring unnecessary cost and latency, and contradicts the requirement to minimize API calls. Option D is wrong because switching to Systems Manager Parameter Store does not inherently reduce API calls; the same caching strategy would still be needed, and the question specifically asks about Secrets Manager, not an alternative service.

152
MCQhard

A developer is building a REST API using API Gateway and AWS Lambda. The API must support long-running operations that can take up to 30 minutes. The current implementation uses synchronous Lambda invocation, causing API Gateway to timeout after 29 seconds. What solution should the developer implement?

A.Increase the Lambda function timeout to 30 minutes.
B.Use an SQS queue to decouple the request and have the client poll for results.
C.Use Lambda function URL directly and bypass API Gateway.
D.Change the API Gateway integration to HTTP_PROXY type.
AnswerB

This pattern allows the API to return immediately and the client to poll for the result asynchronously.

Why this answer

Option A is correct because API Gateway has a 29-second timeout for synchronous integrations. By using asynchronous processing with SQS and a separate polling endpoint, the client can retrieve results later. Option B is wrong because HTTP_PROXY integration still has the same timeout.

Option C is wrong because increasing Lambda timeout does not affect API Gateway's integration timeout. Option D is wrong because connecting directly to the Lambda function URL still has a maximum invocation payload size and timeout, but the API Gateway timeout is the primary issue.

153
MCQhard

A company runs a containerized application on Amazon ECS with Fargate. The application writes logs to stdout. The operations team wants to send these logs to a centralized log management tool that requires logs in JSON format. What is the BEST way to achieve this without modifying application code?

A.Use the FireLens log driver to route logs to Fluent Bit and then to the tool
B.Use the awslogs log driver and configure a JSON output format
C.Install the CloudWatch Logs agent on the container
D.Modify the application to output logs in JSON format
AnswerA

FireLens allows log routing and transformation without code changes.

Why this answer

Option D is correct because the FireLens integration allows you to use a log router (e.g., Fluent Bit) in the task definition to transform logs to JSON and forward them to any destination. Option A is wrong because CloudWatch Logs agent is for EC2, not Fargate. Option B is wrong because you cannot modify the `awslogs` driver to output JSON; it sends to CloudWatch Logs.

Option C is wrong because modifying the application requires code change.

154
Multi-Selecthard

Which THREE steps are required to enable cross-account access to a DynamoDB table from a Lambda function in another AWS account?

Select 2 answers
A.Create a resource-based policy on the DynamoDB table that allows access from the Lambda execution role.
B.Configure the Lambda function to assume an IAM role in the DynamoDB account.
C.Add a trust policy to the Lambda execution role allowing the DynamoDB account to access it.
D.Add a bucket policy to the DynamoDB table to allow cross-account access.
E.In the Lambda account, attach an IAM policy to the Lambda execution role that allows access to the DynamoDB table.
AnswersA, E

DynamoDB supports resource-based policies for fine-grained access.

Why this answer

Options A, B, and D are correct. The DynamoDB table must have a resource-based policy allowing the Lambda execution role. The Lambda execution role must have a trust policy allowing the other account to assume it.

Option C is not required because DynamoDB uses resource-based policies; an S3 bucket policy is not relevant. Option E is not correct because DynamoDB does not support bucket policies.

155
MCQeasy

A developer is deploying a new version of a microservice that runs on AWS Fargate. The service is part of an Amazon ECS cluster and has an associated Application Load Balancer (ALB). The developer wants to perform a rolling update without downtime and ensure that at least 50% of the service's desired count remains available during the deployment. The current desired count is 4. The developer updates the task definition and triggers a new service deployment using the AWS CLI. After the update, the developer notices that the service briefly goes to 0 running tasks during the deployment, causing downtime. The ECS service deployment configuration has: minimumHealthyPercent=50 and maximumPercent=200. What is the most likely cause of this downtime?

A.The ALB health check is misconfigured, causing healthy tasks to be marked as unhealthy and replaced.
B.The service is using the CODE_DEPLOY deployment controller instead of the default ECS rolling update controller.
C.The minimumHealthyPercent value of 50% is too low, allowing the service to scale down to 0 tasks.
D.The ALB deregistration delay is set to 0, causing tasks to be removed immediately.
AnswerB

Correct: With CODE_DEPLOY controller, ECS does not manage the rollout; it stops tasks and waits for external deployment.

Why this answer

Option B is correct because the deployment controller default is ECS, not CODE_DEPLOY. ECS rolling update with min/max settings should work, but if the deployment controller is set to 'CODE_DEPLOY', the service does not manage the rollout automatically; it expects an external deployment. In this case, the developer triggered a new deployment with the updated task definition but the service might have been configured with CODE_DEPLOY controller, causing it to stop all tasks.

Option A is incorrect because 50% minimum healthy percent should keep at least 2 tasks. Option C is incorrect because deregistration delay affects draining, not immediate 0 count. Option D is incorrect because the ALB health check doesn't cause tasks to stop.

156
MCQeasy

A developer is building a serverless application using AWS Lambda and Amazon DynamoDB. The Lambda function reads from a DynamoDB table. The function fails with a timeout error when processing large items. What is the MOST efficient solution?

A.Increase the Lambda function memory.
B.Increase the Lambda function timeout.
C.Enable Lambda provisioned concurrency.
D.Increase the DynamoDB read capacity units.
AnswerB

A longer timeout allows processing of large items without timing out.

Why this answer

Option C is correct because increasing Lambda timeout gives more time for large item processing. Option A is wrong because provisioned concurrency reduces cold starts but not timeouts. Option B is wrong because increasing memory also increases CPU, but the primary issue is the timeout limit.

Option D is wrong because increasing DynamoDB RCUs addresses throttling, not timeouts.

157
Multi-Selecthard

A developer is implementing a CI/CD pipeline using AWS CodePipeline. The pipeline has a source stage that uses an Amazon S3 bucket, a build stage that uses AWS CodeBuild, and a deploy stage that uses AWS CodeDeploy. The developer wants to ensure that the pipeline automatically triggers when a new file is uploaded to the S3 source bucket. Which TWO steps should the developer take to configure this? (Choose two.)

Select 2 answers
A.Create a webhook in CodePipeline and configure S3 to send HTTP requests to the webhook URL.
B.Enable S3 event notifications on the bucket to publish events to Amazon CloudWatch Events.
C.Configure AWS CloudTrail to log S3 PutObject events and trigger the pipeline.
D.Create an AWS Lambda function that is invoked on S3 object creation and starts the pipeline.
E.In the CodePipeline source action, specify the S3 bucket and enable 'S3 source change detection'.
AnswersB, E

Correct: S3 event notifications can trigger CloudWatch Events, which can trigger the pipeline.

Why this answer

Option A is correct because enabling S3 event notifications on the bucket can trigger the pipeline. Option D is correct because the pipeline source configuration should be set to 'Amazon S3' and the event notification should be configured to invoke the pipeline. Option B is incorrect because CloudTrail is for auditing, not triggering.

Option C is incorrect because Lambda is not required; S3 events can directly trigger CodePipeline. Option E is incorrect because webhooks are for third-party sources like GitHub.

158
MCQhard

A developer is building a multi-region application using Amazon DynamoDB global tables. The application needs to read data from a replica table in a different region shortly after a write in the primary region. The developer notices that reads sometimes return stale data. Which of the following explains this behavior?

A.Global tables use asynchronous replication, introducing unavoidable replication lag.
B.The developer must use DynamoDB Streams to capture changes and replicate them separately.
C.The developer must enable strong consistency reads on the replica table.
D.The global table must be configured with write forwarding.
AnswerA

Replication between regions is eventually consistent, meaning there can be a delay before data appears in other regions.

Why this answer

Amazon DynamoDB global tables use asynchronous replication to propagate writes from one region to all other replica tables. This means that after a write in the primary region, there is an inherent replication lag (typically sub-second but can be higher under load or network issues) before the change is visible in other regions. The developer observes stale reads because the read is hitting a replica that has not yet received the update, which is expected behavior for eventually consistent reads on global tables.

Exam trap

The trap here is that candidates often assume DynamoDB global tables provide immediate consistency across regions (like synchronous replication) or that they can simply switch to strong consistency reads on replicas, but the exam tests the understanding that global tables are eventually consistent and that strong consistency is not available on replica tables.

How to eliminate wrong answers

Option B is wrong because DynamoDB Streams are used to capture item-level changes for custom processing (e.g., triggering Lambda functions), but they are not required for replication in global tables—global tables handle replication internally using the DynamoDB replication protocol. Option C is wrong because strong consistency reads are not supported on replica tables in a global table setup; only eventually consistent reads are available on replicas, so enabling strong consistency reads is not an option. Option D is wrong because write forwarding is a feature that allows a write request to a replica to be forwarded to the primary region for execution, but it does not affect the read consistency or replication lag when reading from a replica after a write in the primary region.

159
MCQmedium

A developer is deploying a web application using AWS Elastic Beanstalk. The application uses a MySQL database. During deployment, the developer needs to apply database schema migrations. Which approach should the developer use to run database migrations as part of the Elastic Beanstalk deployment?

A.Use an .ebextensions configuration file to run a migration script during deployment.
B.Configure an RDS event subscription to trigger a Lambda function that runs migrations.
C.Run the migration script as a scheduled task using CloudWatch Events.
D.Use AWS CodeDeploy's AppSpec file to run the migration script.
AnswerA

.ebextensions allows custom commands.

Why this answer

Option A is correct because .ebextensions config files can run custom commands during deployment, such as a migration script. Option B is wrong because deployment hooks are for scripts, not RDS events. Option C is wrong because CodeDeploy is a separate service.

Option D is wrong because Lambda is not triggered automatically during Beanstalk deployment.

160
MCQmedium

A developer needs an S3 upload workflow where clients upload large files directly to S3 without exposing AWS credentials through the browser. What should the backend generate?

A.Pre-signed URLs with appropriate expiration and object restrictions
B.Long-lived IAM access keys for each client
C.A public-read bucket policy
D.An S3 Inventory report
AnswerA

Correct for the stated requirement.

Why this answer

Pre-signed URLs allow the backend to generate time-limited, permission-restricted URLs that clients can use to upload objects directly to S3 without exposing AWS credentials. The backend signs the URL with IAM credentials, and the client uses the URL to perform the PUT operation, ensuring secure, credential-free uploads.

Exam trap

The trap here is that candidates may confuse pre-signed URLs with public bucket policies or long-lived keys, thinking that any form of direct access requires exposing credentials, when in fact pre-signed URLs provide temporary, scoped access without credential leakage.

How to eliminate wrong answers

Option B is wrong because long-lived IAM access keys would expose permanent credentials in the browser, violating the requirement to avoid credential exposure and creating a severe security risk. Option C is wrong because a public-read bucket policy allows anyone to read objects but does not provide a secure, controlled upload mechanism; it would also expose the bucket to unauthorized writes if not carefully restricted. Option D is wrong because an S3 Inventory report is a listing of objects for auditing or lifecycle management, not a mechanism for uploading files.

161
MCQeasy

A developer is using Amazon DynamoDB to store session data for a web application. The application experiences read-heavy traffic and the developer wants to reduce latency. Which feature should be used to improve read performance?

A.DynamoDB Global Tables
B.DynamoDB Streams
C.DynamoDB Accelerator (DAX)
D.DynamoDB Time to Live (TTL)
AnswerC

DAX is an in-memory cache for DynamoDB, improving read performance.

Why this answer

Correct: A. DynamoDB Accelerator (DAX) is an in-memory cache that reduces read latency. Option B is wrong because DynamoDB Streams is for change data capture, not caching.

Option C is wrong because Global Tables are for multi-region replication, not read performance within a region. Option D is wrong because TTL is for automatic item expiration, not caching.

162
MCQmedium

A company is building a serverless application using AWS Lambda functions that write results to an Amazon DynamoDB table. The Lambda functions are invoked by an Amazon API Gateway REST API. During testing, some requests fail with a 503 status code. The Lambda function code is correct. What is the MOST likely cause of the 503 errors?

A.The DynamoDB table has insufficient write capacity.
B.The Lambda function execution time exceeds the configured timeout.
C.The Lambda function's IAM role does not have permission to write to DynamoDB.
D.The API Gateway stage has throttling limits configured.
AnswerB

Lambda timeout causes API Gateway to return a 503.

Why this answer

Option B is correct because 503 errors from API Gateway typically indicate that the Lambda function is not returning a response within the timeout. Option A is wrong because DynamoDB writes are asynchronous from API Gateway's perspective. Option C is wrong because missing IAM role would cause 500 or 403, not 503.

Option D is wrong because throttling would cause 429, not 503.

163
MCQmedium

A developer has an AWS Lambda function that processes messages from an Amazon SQS standard queue. The function is idempotent and currently has a batch size of 10. The developer wants to increase throughput and increases the batch size to 100. After the change, CloudWatch metrics show a significant increase in throttles and the queue backlog is growing. The function's reserved concurrency is set to 10. What is the most effective action to resolve the throttling and improve throughput?

A.Increase the reserved concurrency of the Lambda function
B.Increase the memory allocation of the Lambda function
C.Switch the SQS queue to a FIFO queue
D.Decrease the batch size back to 10
AnswerA

Higher concurrency allows more invocations to run simultaneously, reducing throttling and enabling the function to consume the larger batch size effectively.

Why this answer

Increasing the reserved concurrency from 10 to a higher value directly addresses the root cause of throttling. With a batch size of 100, each invocation processes more messages, but the function's reserved concurrency of 10 limits the maximum number of concurrent executions to 10. This means the Lambda service can only invoke the function 10 times at once, regardless of how many messages are in the queue.

By raising reserved concurrency, you allow more concurrent invocations to handle the larger batches, reducing throttling and improving throughput.

Exam trap

The trap here is that candidates often assume throttling is due to function performance (memory or CPU) and choose to increase memory, when in fact the issue is a concurrency limit that prevents the function from scaling to handle the larger batch size.

How to eliminate wrong answers

Option B is wrong because increasing memory allocation improves CPU and network performance per invocation but does not increase the number of concurrent executions allowed, so it cannot resolve throttling caused by hitting the reserved concurrency limit. Option C is wrong because switching to a FIFO queue would reduce throughput due to its strict message ordering and limited concurrency (FIFO queues support a maximum of 300 transactions per second with batching), which is counterproductive when trying to increase throughput. Option D is wrong because decreasing the batch size back to 10 would reduce the number of messages processed per invocation, lowering throughput and failing to address the underlying concurrency bottleneck.

164
MCQmedium

A developer is creating a REST API using Amazon API Gateway with Lambda proxy integration. The API needs to accept and return binary data such as images or PDF files. The developer has configured the API to use the Lambda proxy integration. What additional configuration is required to support binary data?

A.Set the Content-Type header to application/octet-stream in the Lambda response.
B.In API Gateway, add the binary media types to the API settings, e.g., image/png, application/pdf.
C.Use an API Gateway custom domain with an SSL certificate.
D.Enable API caching with binary support.
AnswerB

Correct. This tells API Gateway which responses should be treated as binary data.

Why this answer

With Lambda proxy integration, API Gateway passes the client request as-is to Lambda and returns the Lambda response as-is to the client. To handle binary data, you must explicitly declare the binary media types (e.g., image/png, application/pdf) in the API Gateway REST API settings. This tells API Gateway to base64-encode the binary payload before sending it to Lambda and to decode the base64-encoded response from Lambda back to binary for the client.

Without this configuration, API Gateway treats all payloads as text and will corrupt binary data.

Exam trap

The trap here is that candidates assume Lambda proxy integration automatically handles binary data because it passes everything through, but in reality, API Gateway requires explicit binary media type configuration to avoid corrupting binary payloads during base64 encoding/decoding.

How to eliminate wrong answers

Option A is wrong because setting the Content-Type header to application/octet-stream in the Lambda response alone does not enable API Gateway to handle binary data; API Gateway must be explicitly configured with the binary media types in the API settings, and the Lambda response must also include the correct isBase64Encoded flag set to true. Option C is wrong because using a custom domain with an SSL certificate is related to HTTPS endpoint configuration and custom domain names, not to enabling binary data support in API Gateway. Option D is wrong because API caching is a performance optimization feature that caches responses; it does not provide or enable binary data handling, and there is no 'binary support' toggle in API caching.

165
MCQmedium

A developer is building an application that needs to store session state data for a web application running on multiple EC2 instances behind an ALB. The data is ephemeral and should not persist if an instance is terminated. Which storage option should the developer use?

A.Amazon ElastiCache
B.Amazon RDS
C.Amazon DynamoDB
D.Amazon S3
AnswerA

ElastiCache is an in-memory cache that provides low-latency access and ephemeral storage, perfect for session state.

Why this answer

Amazon ElastiCache is the correct choice because it provides a managed in-memory cache (e.g., Redis or Memcached) that is ideal for storing ephemeral session state data. Session data is temporary and must be shared across multiple EC2 instances behind an ALB, and ElastiCache offers sub-millisecond latency and automatic key expiration, ensuring data is not persisted if an instance terminates. This aligns with the requirement for non-persistent, high-performance session storage that survives individual instance failures.

Exam trap

The trap here is that candidates often confuse durable storage (like DynamoDB or RDS) with ephemeral storage, failing to recognize that the requirement 'should not persist if an instance is terminated' explicitly calls for a non-persistent, in-memory solution like ElastiCache, not a database that guarantees data durability.

How to eliminate wrong answers

Option B (Amazon RDS) is wrong because RDS is a relational database designed for persistent, durable storage with ACID transactions, not for ephemeral session state; it introduces unnecessary overhead, cost, and latency for temporary data that should not survive instance termination. Option C (Amazon DynamoDB) is wrong because DynamoDB is a NoSQL database that provides durable, persistent storage with eventual consistency, which contradicts the requirement that data should not persist if an instance is terminated; it is better suited for long-lived application data rather than transient session state. Option D (Amazon S3) is wrong because S3 is an object storage service for durable, persistent data with high latency compared to in-memory solutions; it is not designed for low-latency session state access and would incur unnecessary costs and performance penalties for ephemeral data.

166
MCQeasy

A developer is using Amazon API Gateway to create a REST API. The API must support CORS (Cross-Origin Resource Sharing) to allow requests from a web application hosted on a different domain. What must the developer do to enable CORS?

A.Use Amazon CloudFront to proxy the API and add CORS headers.
B.Enable CORS in the API Gateway settings and configure the required headers.
C.Nothing; API Gateway automatically handles CORS.
D.Add CORS headers in the Lambda function code.
AnswerB

API Gateway can be configured to return CORS headers.

Why this answer

Option B is correct because API Gateway can enable CORS by adding the appropriate headers. Option A is incorrect because CORS is not automatically enabled. Option C is incorrect because Lambda does not handle CORS headers for API Gateway.

Option D is incorrect because CloudFront is not required.

167
MCQmedium

A developer is using AWS Elastic Beanstalk to deploy a web application. The application writes logs to the local file system. The developer wants to ensure that logs are automatically rotated and retained for 30 days. What should the developer do?

A.Modify the application code to write logs directly to an S3 bucket with lifecycle policies.
B.Add a cron job to the EC2 instances that compresses and deletes old logs.
C.Configure the Elastic Beanstalk environment to enable log rotation and set retention period to 30 days.
D.Install the CloudWatch Logs agent on the EC2 instances and configure it to stream logs to CloudWatch Logs with a 30-day retention.
AnswerC

Elastic Beanstalk provides built-in log rotation and retention settings.

Why this answer

Option A is correct because Elastic Beanstalk can be configured to rotate and retain logs by setting the appropriate option settings in the environment configuration. Option B is wrong because CloudWatch Logs agent without rotation configuration may not handle log rotation properly. Option C is wrong because a cron job is a manual approach and not integrated with Elastic Beanstalk.

Option D is wrong because storing logs in S3 via a script is not automatic rotation.

168
MCQeasy

A developer wants to store application configuration data that can be accessed by multiple microservices. The data is sensitive and should be encrypted at rest. Which AWS service should be used to meet these requirements?

A.Amazon S3
B.AWS Identity and Access Management (IAM)
C.Amazon DynamoDB
D.AWS Systems Manager Parameter Store
AnswerD

Supports encrypted parameters and secure access.

Why this answer

Option B is correct because AWS Systems Manager Parameter Store supports encrypted parameters using KMS. Option A is wrong because S3 is not a configuration store and requires additional IAM policies. Option C is wrong because DynamoDB can store configuration but does not natively encrypt at rest without additional setup.

Option D is wrong because IAM is for access management, not configuration storage.

169
MCQhard

Refer to the exhibit. A developer created the CloudFormation template snippet. After deployment, the developer uploads a file to the bucket, but the Lambda function is not invoked. What is the MOST likely cause?

A.The bucket has a bucket policy that denies s3:PutObject for the IAM user.
B.The bucket has versioning enabled, which blocks event notifications.
C.The lifecycle rule moves objects to Glacier before the notification is sent.
D.The Lambda function returned an error, so the invocation failed silently.
AnswerA

If the upload fails due to permissions, no event is sent.

Why this answer

Option A is correct because S3 bucket policies that deny s3:PutObject would prevent the upload from triggering the event. Option B is wrong because versioning does not affect notifications. Option C is wrong because lifecycle rules do not affect immediate events.

Option D is wrong because Lambda function errors do not prevent invocation.

170
Multi-Selectmedium

A company is using Amazon RDS for MySQL with Multi-AZ deployment. The application writes to the database using the primary endpoint. The company wants to improve read performance and offload read traffic from the primary instance. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Create an Amazon RDS read replica in the same region.
B.Add another primary instance and configure replication.
C.Modify the application to use the read replica endpoint for SELECT queries.
D.Use the Multi-AZ secondary instance endpoint for read queries.
E.Enable Amazon RDS Proxy to distribute read queries across instances.
AnswersA, C

A read replica can handle read traffic, reducing load on the primary.

Why this answer

Option A is correct because a read replica can serve read traffic. Option C is correct because the application should use the read replica endpoint for read queries. Option B is wrong because Multi-AZ does not provide a separate read endpoint; the secondary is standby.

Option D is wrong because RDS Proxy is for connection pooling, not read scaling. Option E is wrong because creating additional primary instances is not supported; RDS has one primary per DB instance.

171
MCQeasy

A developer needs to store session state data for a web application running on multiple EC2 instances. The data must be highly available and durable. Which AWS service should be used?

A.Amazon ElastiCache
B.Amazon S3
C.Amazon EBS
D.Amazon CloudFront
AnswerA

In-memory caching service for session state.

Why this answer

Option B is correct because ElastiCache provides a high-performance, highly available in-memory cache suitable for session state. Option A is wrong because S3 is object storage, not ideal for low-latency session state. Option C is wrong because EBS volumes are attached to a single instance.

Option D is wrong because CloudFront is a CDN, not a session store.

172
Multi-Selectmedium

A developer is designing a mobile application that needs to upload files to Amazon S3. The developer wants to use temporary credentials to avoid storing long-term AWS credentials on the device. Which TWO services should the developer use together?

Select 2 answers
A.AWS Security Token Service (STS)
B.Amazon Cognito
C.Amazon S3 Transfer Acceleration
D.AWS Identity and Access Management (IAM)
E.AWS Key Management Service (KMS)
AnswersA, B

STS issues temporary credentials.

Why this answer

Option A (Amazon Cognito) is correct because it provides identity pools for temporary AWS credentials. Option D (AWS STS) is correct because it issues temporary credentials. Option B is wrong because IAM is for long-term users.

Option C is wrong because KMS is for encryption. Option E is wrong because S3 Transfer Acceleration is for speed.

173
MCQeasy

A developer configures an AWS Lambda function to process image files uploaded to an S3 bucket. The bucket receives a mix of .jpg, .png, and .pdf files. The developer wants to invoke the Lambda function only for image files to reduce costs. Which configuration should the developer use?

A.Configure an S3 event notification with a prefix filter 'images/'
B.Configure an S3 event notification with a suffix filter '.jpg' and '.png'
C.Create a Lambda resource-based policy that denies invocation from S3 for .pdf objects
D.Add an S3 bucket policy that denies PutObject for any object that is not a .jpg or .png
AnswerB

Suffix filters allow you to invoke the Lambda function only for objects with specific file extensions, e.g., '.jpg' and '.png'.

Why this answer

Option B is correct because S3 event notifications support suffix filtering, allowing you to specify object key suffixes like '.jpg' and '.png'. This ensures the Lambda function is invoked only when objects with those extensions are uploaded, filtering out .pdf files and reducing unnecessary invocations and costs.

Exam trap

The trap here is that candidates confuse S3 event notification filters (which control which objects trigger the event) with resource-based policies (which control invocation permissions), leading them to choose option C or D instead of the correct suffix filter.

How to eliminate wrong answers

Option A is wrong because a prefix filter 'images/' would only filter objects whose key starts with 'images/', not by file type; .pdf files could still be uploaded to that prefix and trigger the function. Option C is wrong because a Lambda resource-based policy controls who can invoke the function, not which S3 objects trigger it; S3 event notifications are configured separately and cannot be filtered by a resource policy. Option D is wrong because an S3 bucket policy that denies PutObject for non-image files would prevent uploads of .pdf files entirely, which is not the requirement—the developer only wants to avoid processing them, not block them.

174
MCQeasy

A developer is creating an API with Amazon API Gateway that needs to accept binary data (e.g., images) and store them directly in an S3 bucket. The developer wants to minimize backend complexity. Which integration type should be used?

A.AWS service integration with S3
B.Lambda proxy integration
C.HTTP integration
D.Mock integration
AnswerA

This allows API Gateway to directly interact with S3 to store objects, minimizing backend complexity.

Why this answer

AWS service integration with S3 allows API Gateway to directly proxy binary data (e.g., images) to an S3 bucket without invoking a Lambda function or other backend. This minimizes backend complexity because the API Gateway handles the request transformation and passes the payload directly to S3 via the PutObject API action, eliminating the need for custom code.

Exam trap

The trap here is that candidates often default to Lambda proxy integration for any data processing task, overlooking that direct AWS service integration can handle binary uploads to S3 without any compute layer, which is the simplest and most cost-effective approach.

How to eliminate wrong answers

Option B (Lambda proxy integration) is wrong because it introduces unnecessary backend complexity by requiring a Lambda function to receive the binary data and then upload it to S3, adding compute cost and latency. Option C (HTTP integration) is wrong because it would require a separate HTTP endpoint (e.g., on EC2 or on-premises) to receive the data and then forward it to S3, defeating the goal of minimizing backend complexity. Option D (Mock integration) is wrong because it only returns static responses from API Gateway without actually storing any data in S3, so it cannot fulfill the requirement of persisting binary data.

175
MCQeasy

A developer is creating an AWS Lambda function that processes messages from an Amazon SQS queue. The function should process each message only once. Which SQS queue type should the developer use?

A.Amazon SQS does not support exactly-once processing.
B.Dead-letter queue
C.FIFO queue
D.Standard queue
AnswerC

Guarantees exactly-once processing.

Why this answer

Option A is correct because standard queues provide at-least-once delivery, not exactly-once. Option B is correct because FIFO queues guarantee exactly-once processing. Option C is wrong because DLQs are for failed messages.

Option D is wrong because dead-letter queue is a feature, not a type.

176
MCQhard

A developer is using AWS Lambda with Amazon API Gateway to build a REST API. The Lambda function is written in Node.js and uses the 'aws-sdk' to interact with DynamoDB. When the function is invoked, it consistently takes more than 10 seconds to complete, causing API Gateway to timeout (default timeout is 29 seconds). The developer wants to reduce latency. What should the developer do FIRST?

A.Increase the Lambda function timeout in the function configuration.
B.Switch from DynamoDB to Amazon RDS for faster queries.
C.Attach an IAM role to the Lambda function to speed up DynamoDB access.
D.Enable provisioned concurrency on the Lambda function to reduce cold starts.
AnswerD

Correct: Provisioned concurrency keeps instances warm, reducing latency.

Why this answer

Option D is correct because the cold start is the most common cause of high latency in Lambda, especially for Node.js. Provisioned concurrency keeps the function warm. Option A is wrong because increasing timeout does not reduce latency.

Option B is wrong because Lambda has execution role, not IAM role attached. Option C is wrong because DynamoDB is not the bottleneck typically.

177
MCQmedium

A developer is using AWS SAM to deploy a serverless application. The template includes a Lambda function that connects to an RDS MySQL database. The function works correctly in the developer's account but fails with a timeout when deployed to a production account. What is the MOST likely cause?

A.The Lambda function timeout is set too low for the database query.
B.The Lambda function is not attached to the same VPC as the RDS instance.
C.The SAM template does not support RDS as an event source.
D.The Lambda function uses a runtime that is not compatible with the MySQL client.
AnswerB

Lambda needs to be in the same VPC to access RDS privately.

Why this answer

Option B is correct because the Lambda function may not have a VPC configuration to access the RDS database in the production account. Option A is wrong because SAM supports RDS connections. Option C is wrong because Lambda's default timeout is 3 seconds, but the function may have a higher timeout set.

Option D is wrong because Lambda supports Python natively.

178
MCQeasy

A developer is reviewing a CloudFormation template that creates an S3 bucket and a Lambda function. The Lambda function's code is stored in the S3 bucket. What is a potential issue with this template?

A.The Lambda function's role is referenced incorrectly; it should be 'Ref' instead of 'GetAtt'.
B.The Lambda function depends on the S3 bucket, but there is no DependsOn clause to ensure the bucket is created first.
C.The bucket name 'my-unique-bucket-12345' is not globally unique.
D.The bucket must have versioning enabled to store Lambda code.
AnswerB

CloudFormation may attempt to create the Lambda function before the bucket exists, causing failure.

Why this answer

Option B is correct because CloudFormation tries to create both resources in parallel, but the Lambda function needs the S3 bucket to exist first to retrieve the code. Additionally, the bucket must have the code uploaded before stack creation. Option A is wrong because the reference is valid.

Option C is wrong because versioning is not required. Option D is wrong because the role reference is correct.

179
MCQeasy

A developer needs to store temporary session data for a web application running on Amazon EC2 behind an Application Load Balancer. The data must be accessible across multiple EC2 instances. Which AWS service should the developer use?

A.Amazon ElastiCache
B.Amazon EBS
C.Amazon DynamoDB
D.Amazon S3
AnswerA

ElastiCache provides a fast, in-memory cache ideal for session data that needs to be shared across instances.

Why this answer

Option C is correct because ElastiCache (Redis or Memcached) provides a low-latency, shared cache for session data. Option A is wrong because S3 is object storage with higher latency. Option B is wrong because DynamoDB is a NoSQL database, but session data is temporary and better suited for caching.

Option D is wrong because EBS volumes cannot be shared across instances.

180
MCQmedium

A developer is building a chat application using WebSockets. The application runs on multiple EC2 instances and needs to broadcast messages to all connected clients. Which AWS service can handle the WebSocket connections and route messages?

A.Amazon SQS with long polling
B.Application Load Balancer with WebSocket support
C.Amazon CloudFront with WebSocket support
D.Amazon API Gateway WebSocket API
AnswerD

API Gateway WebSocket API can manage connections and broadcast messages.

Why this answer

Correct: A. Amazon API Gateway supports WebSocket APIs and can manage connections and broadcast messages. Option B is wrong because ALB supports WebSocket but does not provide broadcasting capabilities.

Option C is wrong because CloudFront is a CDN and does not natively support WebSocket broadcasting. Option D is wrong because SQS is a queue, not for WebSocket management.

181
MCQeasy

A developer runs the AWS CLI command to invoke a Lambda function synchronously. What does the output indicate?

A.The Lambda function executed successfully and returned a response.
B.The Lambda function failed validation.
C.The Lambda function was not found.
D.The Lambda function timed out.
AnswerA

StatusCode 200 indicates success, and response.json contains the output.

Why this answer

Option A is correct. The StatusCode 200 indicates the invocation was successful, and the response contains the Lambda function's output. Option B (validation error) would return a different status code.

Option C (timeout) would return a timeout error. Option D (function not found) would return 404.

182
MCQhard

A Lambda function connects to an RDS database and causes too many database connections during traffic spikes. Which service should be introduced?

A.AWS Glue Data Catalog
B.Amazon RDS Proxy
C.Amazon Route 53 Resolver
D.AWS WAF
AnswerB

Correct for the stated requirement.

Why this answer

Amazon RDS Proxy sits between your Lambda function and the RDS database, managing a pool of established database connections. During traffic spikes, Lambda can rapidly scale up concurrent executions, each potentially opening a new database connection, which can exhaust the database's maximum connections. RDS Proxy reuses connections from the pool, reducing the number of open connections and preventing database overload, while also improving connection handling efficiency for serverless applications.

Exam trap

The trap here is that candidates might confuse AWS WAF (a web firewall) or Route 53 (DNS) with database connection management, or incorrectly think that Glue Data Catalog can somehow cache or pool database connections, when in fact only RDS Proxy directly addresses the connection scaling issue for Lambda and RDS.

How to eliminate wrong answers

Option A is wrong because AWS Glue Data Catalog is a metadata repository for data assets in AWS Glue and Athena, not a connection pooling or proxy service for RDS databases. Option C is wrong because Amazon Route 53 Resolver is a DNS service for resolving domain names within VPCs, and it does not manage database connections or connection pooling. Option D is wrong because AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting, but it does not handle database connection management or pooling.

183
MCQhard

Refer to the exhibit. A developer runs the AWS CLI command to invoke a Lambda function. The command succeeds, but the function returns an error. The developer wants to see the error message and logs from the function execution. What should the developer add to the command?

A.--client-context string
B.--qualifier alias
C.--invocation-type Event
D.--log-type Tail
AnswerD

This returns the last 4 KB of log data.

Why this answer

The --log-type Tail option returns the last 4 KB of log data. Option B is correct. Option A is incorrect because --invocation-type Event is for async invocation.

Option C is incorrect because --client-context is for passing context. Option D is incorrect because --qualifier is for version/alias.

184
Multi-Selecteasy

Which TWO AWS services can be used to deploy and manage containerized applications? (Choose two.)

Select 2 answers
A.Amazon EC2
B.Amazon ECS
C.Amazon RDS
D.AWS Lambda
E.Amazon EKS
AnswersB, E

ECS is a container orchestration service.

Why this answer

Amazon ECS is a container orchestration service. Amazon EKS is a managed Kubernetes service. AWS Lambda is for serverless functions, not containers.

Amazon EC2 is for virtual machines, not specifically for containers. Amazon RDS is a managed database service.

185
MCQmedium

A Lambda function must share reusable validation code across several functions without packaging the same library into every deployment artifact. What should be used?

A.Lambda layer
B.API Gateway usage plan
C.S3 multipart upload
D.CloudWatch metric filter
AnswerA

Correct for the stated requirement.

Why this answer

Lambda layers allow you to centrally manage reusable code (e.g., validation libraries) and share it across multiple Lambda functions without packaging it into each deployment artifact. When you attach a layer to a function, the layer's content is extracted into the /opt directory, making it available at runtime. This avoids duplication and simplifies updates, as you only need to update the layer version rather than every function's deployment package.

Exam trap

The trap here is that candidates may confuse Lambda layers with other AWS services that handle 'sharing' (like API Gateway usage plans for sharing API access) or 'packaging' (like S3 multipart upload for large files), but only Lambda layers are designed to share code and dependencies across functions without repackaging.

How to eliminate wrong answers

Option B is wrong because API Gateway usage plans are used to throttle and quota API requests, not to share code across Lambda functions. Option C is wrong because S3 multipart upload is a mechanism for uploading large objects in parts, not for distributing reusable code to Lambda functions. Option D is wrong because CloudWatch metric filters are used to extract metric data from log streams, not to share or package code for Lambda.

186
MCQeasy

A developer is writing a Lambda function that processes images uploaded to an S3 bucket. The function needs to extract metadata from the image. Which S3 feature can be used to automatically trigger the Lambda function?

A.S3 Events
B.S3 Inventory
C.S3 Transfer Acceleration
D.S3 Batch Operations
AnswerA

S3 Events can trigger Lambda function executions on object creation events.

Why this answer

Amazon S3 Events can be configured to send a notification when an object is created (e.g., via PutObject) in an S3 bucket. This event can directly invoke an AWS Lambda function, making it the correct service to automatically trigger the function upon image upload. The developer simply needs to set up an S3 event notification with the Lambda function as the destination.

Exam trap

The trap here is that candidates may confuse S3 Batch Operations (which can invoke Lambda functions for batch processing) with real-time event triggers, but Batch Operations require a manual job initiation and do not automatically fire on each upload.

How to eliminate wrong answers

Option B (S3 Inventory) is wrong because it is used to generate a list of objects and their metadata for auditing or compliance, not to trigger real-time event-driven actions. Option C (S3 Transfer Acceleration) is wrong because it only speeds up uploads over long distances using edge locations, it has no mechanism to invoke Lambda functions. Option D (S3 Batch Operations) is wrong because it performs bulk actions (like copying or tagging) on existing objects via a job, not real-time event triggering upon object creation.

187
MCQeasy

A developer is designing a microservices architecture where each service runs in its own Amazon ECS container. Services need to communicate with each other. The developer wants to simplify service discovery and load balancing. Which AWS service should the developer use?

A.AWS Cloud Map
B.Elastic Load Balancing
C.Amazon ECS service discovery
D.Amazon Route 53
AnswerA

AWS Cloud Map provides service discovery for resources like ECS tasks.

Why this answer

Option C is correct because AWS Cloud Map provides service discovery for microservices. Option A is incorrect because Route 53 is for DNS, but not optimized for dynamic service discovery. Option B is incorrect because ELB is for load balancing, not service discovery.

Option D is incorrect because Amazon ECS does not have built-in service discovery.

188
Multi-Selecthard

Which TWO AWS services can be used to send messages between microservices in a decoupled manner? (Choose two.)

Select 2 answers
A.Amazon SQS
B.Amazon SNS
C.AWS Lambda
D.Amazon MQ
E.Amazon Kinesis Data Streams
AnswersA, B

Decouples components via message queues.

Why this answer

Option A (Amazon SQS) and Option B (Amazon SNS) are correct. SQS is a message queue, SNS is a pub/sub messaging service. Option C (Amazon Kinesis Data Streams) is for real-time streaming, not typically for simple messaging.

Option D (AWS Lambda) is a compute service. Option E (Amazon MQ) is a managed message broker, but SQS and SNS are the primary decoupling services.

189
MCQmedium

A company is using AWS Lambda functions to process events from Amazon S3. The functions are writing logs to CloudWatch Logs. Recently, they noticed that some logs are missing and the functions are experiencing throttling errors. What is the MOST likely cause?

A.The CloudWatch Logs log group retention policy is set too low.
B.The Lambda function's reserved concurrency is set to a low value.
C.The Lambda function's IAM role lacks permissions to write to CloudWatch Logs.
D.The S3 bucket is sending too many event notifications.
AnswerB

Reserved concurrency limits the number of concurrent executions, causing throttling when exceeded.

Why this answer

Option D is correct because Lambda concurrency limits cause throttling when exceeded. Option A is wrong because CloudWatch Logs doesn't cause throttling. Option B is wrong because S3 event notifications are asynchronous and not source of throttling.

Option C is wrong because IAM roles affect permissions, not concurrency.

190
Multi-Selecteasy

A developer needs to monitor the performance of an Amazon RDS for MySQL database. Which TWO metrics should the developer monitor to detect a potential CPU bottleneck?

Select 2 answers
A.FreeStorageSpace
B.DatabaseConnections
C.CPUUtilization
D.NetworkThroughput
E.ReadLatency
AnswersB, C

High connection count can lead to CPU contention.

Why this answer

Option B is correct because CPUUtilization directly shows CPU usage. Option D is correct because DatabaseConnections can indicate high load causing CPU contention. Option A is wrong because FreeStorageSpace is storage.

Option C is wrong because ReadLatency is I/O. Option E is wrong because NetworkThroughput is network.

191
MCQeasy

A developer is building a serverless REST API using Amazon API Gateway and AWS Lambda. The API should return JSON responses to client requests. The developer is using the Lambda proxy integration. What is the simplest way to return a JSON response from the Lambda function?

A.Return a string from the Lambda handler.
B.Return a dictionary containing 'statusCode', 'headers', and 'body' with 'body' as a JSON string.
C.Use API Gateway integration response and mapping templates to transform the Lambda output.
D.Return a JSON object from Lambda and set a Content-Type header in the API Gateway method response.
AnswerB

This format satisfies the API Gateway proxy integration contract, allowing the client to receive a proper JSON response.

Why this answer

With Lambda proxy integration, API Gateway passes the entire request to the Lambda function and expects the function to return a specific response format. The simplest way to return a JSON response is to return a dictionary (or object) containing 'statusCode', 'headers', and 'body', where 'body' is a JSON string. This format is required by API Gateway to correctly interpret the Lambda output and forward it to the client.

Exam trap

The trap here is that candidates often think returning a JSON object directly from Lambda is sufficient, but they overlook the requirement that the body must be a JSON string and the response must include the exact 'statusCode', 'headers', and 'body' keys for API Gateway proxy integration to work correctly.

How to eliminate wrong answers

Option A is wrong because returning a plain string from the Lambda handler will cause API Gateway to fail or return an unexpected response, as it expects a properly formatted response object. Option C is wrong because using API Gateway integration response and mapping templates adds unnecessary complexity; with proxy integration, the Lambda function itself is responsible for formatting the response, and mapping templates are not used. Option D is wrong because simply returning a JSON object from Lambda without the required 'statusCode', 'headers', and 'body' structure will not be parsed correctly by API Gateway, and setting a Content-Type header in the method response does not address the required Lambda response format.

192
MCQhard

A developer is building a real-time chat application using WebSocket APIs in Amazon API Gateway. The backend is an AWS Lambda function that stores connection IDs in an Amazon DynamoDB table. After a few days, the application stops working for new users. The developer checks CloudWatch Logs and sees that the Lambda function is returning 'AccessDeniedException' when calling DynamoDB. What is the MOST likely cause?

A.The Lambda function code was updated but the IAM role was not reattached.
B.The Lambda function uses an outdated AWS SDK version.
C.The API Gateway route was updated without redeploying the API.
D.The DynamoDB table was recreated and the Lambda function's IAM role still references the old table ARN.
AnswerD

If the table ARN changed, the IAM policy must be updated to allow access to the new table.

Why this answer

Option A is correct because Lambda execution role must be updated when DynamoDB table is recreated. Option B is wrong because Lambda function code updates don't change IAM roles. Option C is wrong because API Gateway permissions affect invocation, not DynamoDB access.

Option D is wrong because SDK version mismatch would cause different errors.

193
MCQmedium

A developer is using AWS CodePipeline to deploy a web application to an Auto Scaling group. The pipeline includes a deploy action that uses CodeDeploy. The deployment fails with the error: 'The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available, or some instances in your deployment group are experiencing problems.' Which of the following is the MOST likely cause?

A.The CodeDeploy agent is not sending logs to CloudWatch.
B.The deployment configuration has a minimum healthy instances setting that is too restrictive.
C.The application's lifecycle hooks are failing during the ApplicationStop event.
D.The instances were launched from an AMI that does not have the CodeDeploy agent installed.
AnswerB

The error indicates too few healthy instances.

Why this answer

Option A is correct because if the deployment configuration has a low minimum healthy instances threshold, the deployment may fail when instances become unhealthy. Option B is wrong because CodeDeploy can deploy to any instance, regardless of how it was launched. Option C is wrong because the application stops may be failing, but the error indicates a health issue.

Option D is wrong because CodeDeploy Agent sends logs to CloudWatch, but that would not cause the error.

194
MCQhard

A developer is building a REST API using API Gateway and Lambda. The API must support multiple HTTP methods and use a custom domain name with an SSL certificate. The developer wants to enable caching for the /products GET endpoint to reduce latency. Which step is essential to enable caching for this specific endpoint?

A.Set the TTL (time-to-live) for the /products GET method to a non-zero value.
B.Enable caching on the /products GET method and specify cache key parameters.
C.Flush the API cache to start fresh.
D.Enable caching on the API stage and set the 'Cache Status' to 'AVAILABLE'.
AnswerB

This configures caching specifically for that method.

Why this answer

Caching is enabled at the stage level, but can be overridden per method by enabling caching on the method and setting the cache key parameters. Enabling caching on the stage without configuring the method does not cache responses for that method unless the method inherits. Setting TTL is not the essential step.

Flush cache is for clearing, not enabling.

195
Multi-Selecthard

A developer is creating a CI/CD pipeline for a serverless application using AWS CodePipeline. The application includes Lambda functions and an API Gateway REST API. The pipeline should automatically deploy changes when code is pushed to a Git repository. Which THREE actions are required to set this up? (Choose THREE.)

Select 3 answers
A.Use AWS CloudFormation with a template to deploy the infrastructure.
B.Create a CodeCommit repository to store the source code.
C.Use AWS CodeStar to create a project dashboard.
D.Use CodeDeploy to deploy the application to Lambda.
E.Use AWS CodeBuild to run unit tests and package the application.
AnswersA, B, E

CloudFormation can deploy Lambda and API Gateway resources.

Why this answer

Options A, C, and E are correct. CodePipeline needs a source stage (CodeCommit), a build stage (CodeBuild), and a deploy stage (CloudFormation). Option B is wrong because CodeDeploy is for EC2/Lambda but CloudFormation is more appropriate for serverless resources.

Option D is wrong because CodeStar is not required.

196
Multi-Selectmedium

Which THREE of the following are valid use cases for AWS Lambda? (Choose three.)

Select 3 answers
A.Processing records from a DynamoDB Stream in real time
B.Running a scheduled task every hour to clean up old database records
C.Serving as a web server for a static website
D.Hosting a long-running web application with WebSockets
E.Processing objects uploaded to an S3 bucket
AnswersA, B, E

DynamoDB Streams can trigger Lambda for real-time processing.

Why this answer

Correct: A, C, and E. Lambda can process S3 events, run scheduled tasks via CloudWatch Events, and process DynamoDB Streams. Option B is wrong because Lambda is not suitable for long-running applications; maximum execution time is 15 minutes.

Option D is wrong because Lambda cannot be used as a web server like EC2; it is event-driven and stateless.

197
MCQhard

A developer is designing a serverless application that processes large files uploaded to Amazon S3. Each file can be up to 5 GB. The processing involves extracting metadata and generating thumbnails. The developer wants to minimize processing time and cost. Which approach should the developer take?

A.Use S3 Object Lambda to process the object as it is being retrieved.
B.Use an S3 event notification to invoke a Lambda function that copies the object to an EC2 instance for processing.
C.Use AWS Fargate to run a container that polls S3 for new objects and processes them.
D.Use an S3 event notification to invoke a Lambda function that downloads the file, processes it, and uploads results.
AnswerA

S3 Object Lambda processes data in-stream, minimizing data transfer and cost.

Why this answer

Option B is correct because S3 Object Lambda allows processing data on the fly without downloading the entire object, reducing data transfer and cost. Option A is wrong because Lambda has a 15-minute timeout and may not handle large files efficiently. Option C is wrong because Fargate is overkill for metadata extraction and thumbnail generation.

Option D is wrong because transferring to EC2 adds cost and complexity.

198
MCQmedium

A company is using Amazon CloudFront to distribute static content from an S3 bucket. The content is updated frequently, but users see stale content. The developer wants to ensure that new content is served as soon as possible after an update. Which action should be taken?

A.Enable 'Origin Shield' to reduce the number of requests to S3.
B.Set the 'Minimum TTL' to 0 and 'Default TTL' to 0.
C.Set the 'Object Caching' to 0 in the CloudFront distribution.
D.Create a CloudFront invalidation for the updated files.
AnswerD

Invalidation removes objects from edge caches.

Why this answer

Option C is correct because creating a CloudFront invalidation for the updated objects ensures the edge caches are refreshed. Option A is wrong because 'Object Caching' can be set to 0, but that increases load. Option B is wrong because 'Minimum TTL' of 0 allows caching but does not clear existing cache.

Option D is wrong because 'Origin Shield' reduces origin load but does not invalidate cache.

199
Multi-Selectmedium

A developer is designing a serverless application using AWS Lambda and Amazon S3. The application must process files immediately after they are uploaded to an S3 bucket. Which TWO services can be used to trigger the Lambda function?

Select 2 answers
A.Amazon Kinesis Data Streams
B.Amazon CloudWatch Events
C.Amazon SQS
D.Amazon SNS
E.AWS Lambda S3 event notifications
AnswersD, E

S3 can send event notifications to SNS, which can then invoke the Lambda function.

Why this answer

Options A and C are correct. S3 can publish events to SNS, and SNS can invoke Lambda via subscription. S3 can also directly invoke Lambda via S3 event notifications.

Option B is incorrect because SQS cannot directly invoke Lambda; it requires a Lambda trigger configured with SQS as event source. Option D is incorrect because Kinesis Data Streams is not a direct S3 event target. Option E is incorrect because CloudWatch Events can schedule Lambda but not trigger on S3 events directly without a custom solution.

200
MCQhard

An IAM policy attached to an IAM user. What is the effect of this policy on the user's ability to delete objects in the bucket my-bucket?

A.The user can delete objects from any IP address.
B.The user is denied the ability to delete objects regardless of source IP.
C.The user can delete objects only if the source IP is not 192.0.2.0/24.
D.The user can delete objects only if the source IP is 192.0.2.0/24.
AnswerB

No Allow statement exists for DeleteObject, so implicit deny applies.

Why this answer

Option B is correct because the Deny statement has a condition that only denies the action when the source IP is NOT in the specified range. So if the user's IP is in 192.0.2.0/24, the Deny does not apply, and since there is no explicit Allow for DeleteObject, the default implicit Deny applies, so deletion is denied regardless. Actually, need to analyze: The Deny applies when source IP is not in the range.

If the source IP is in the range, the Deny condition is not met, so the Deny statement does not apply. However, there is no Allow for DeleteObject, so the action is implicitly denied. Therefore, deletion is always denied.

If there were an Allow, then the Allow would take effect when the Deny doesn't apply. But here there is no Allow, so it's denied always. So answer B is correct: the user is denied because there is no Allow statement for DeleteObject.

201
Multi-Selectmedium

A DynamoDB query must support lookup by email address as well as by user ID. Which two changes may be required?

Select 2 answers
A.Create a secondary index with email as a key
B.Scan the full table for every login
C.Choose projection attributes needed by the query
D.Disable partition keys
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because a Global Secondary Index (GSI) or Local Secondary Index (LSI) on the email attribute allows DynamoDB to efficiently query by email address without scanning the entire table. Since the primary key is user ID, querying by email requires an index that uses email as the partition key or sort key. Option C is correct because specifying projection attributes limits the data returned from the index or table, reducing read capacity consumption and improving performance.

Exam trap

The trap here is that candidates may think a Scan is acceptable for low-volume logins, but the exam emphasizes that any production authentication system must use an index to avoid full table scans and meet latency requirements.

202
MCQhard

A developer attaches this IAM policy to an IAM user. The user tries to upload an object to the S3 bucket my-bucket from an IP address of 10.0.1.5. What will happen?

A.The upload will fail because the IP address is not within the allowed range.
B.The upload will fail because the bucket policy denies access.
C.The upload will succeed because the policy allows s3:PutObject.
D.The upload will succeed because the condition is ignored for uploads.
AnswerA

The condition restricts to 10.0.0.0/24; 10.0.1.5 is not in that range.

Why this answer

Option D is correct because the condition restricts access to the IP range 10.0.0.0/24. The user's IP 10.0.1.5 is outside that range, so the request will be denied. Option A is wrong because even though the action is allowed, the condition denies it.

Option B is wrong because the condition is evaluated and denies the request. Option C is wrong because the condition is valid.

203
MCQmedium

A developer is building a serverless application that processes orders. An order is placed and an event is published to an Amazon SNS topic. The SNS topic has multiple subscribers, including an SQS queue for order processing and a Lambda function for sending notifications. The developer wants to ensure that the SQS queue receives all messages reliably, even if the processing Lambda function fails temporarily. Which configuration should the developer set?

A.Enable a dead-letter queue on the SQS queue
B.Enable SNS delivery retries for HTTP endpoints
C.Set the SQS queue's visibility timeout to a value greater than the Lambda function's processing time
D.Configure the SNS topic to use server-side encryption
AnswerA

Correct. A DLQ captures messages that cannot be processed after retries, ensuring no messages are lost.

Why this answer

A dead-letter queue (DLQ) on the SQS queue ensures that messages that cannot be processed successfully after the configured number of retries (maxReceiveCount) are moved to a separate queue for later analysis or reprocessing. This prevents message loss when the Lambda function fails temporarily, as the SQS queue will continue to receive messages from SNS reliably, and only messages that exceed the retry limit are redirected to the DLQ.

Exam trap

The trap here is that candidates confuse SNS delivery retries (which only apply to HTTP/HTTPS endpoints) with SQS's built-in retry mechanism via visibility timeout and DLQ, leading them to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because SNS delivery retries for HTTP endpoints apply only to HTTP/S subscribers, not to SQS queues; SNS delivers messages to SQS synchronously via the AWS API, which does not use HTTP delivery retries. Option C is wrong because setting the SQS queue's visibility timeout greater than the Lambda function's processing time is a best practice to avoid duplicate processing, but it does not guarantee message reliability if the Lambda fails permanently; messages would remain in the queue but could be lost if the function never succeeds. Option D is wrong because server-side encryption (SSE) protects data at rest but has no effect on message delivery reliability or failure handling.

204
MCQeasy

A developer is building a serverless application using API Gateway and Lambda. The API Gateway REST API endpoint needs to be accessible only from a specific VPC. Which configuration should be used?

A.Attach a security group to the API Gateway.
B.Create a VPC endpoint for API Gateway and associate it with the API.
C.Enable private DNS on the API Gateway API.
D.Configure a resource policy with a condition using aws:SourceVpc.
AnswerD

Resource policies with aws:SourceVpc condition allow access only from specified VPCs.

Why this answer

Option C is correct because API Gateway REST APIs can be configured with a resource policy to allow access only from a specific VPC using the aws:SourceVpc condition key. Option A is wrong because private DNS is for VPC endpoints, not for controlling access. Option B is wrong because security groups are not used for API Gateway; they are for EC2.

Option D is wrong because API Gateway does not have VPC endpoints in the same way as other services.

205
MCQeasy

A developer needs to store session state for a stateless web application running on EC2 instances behind an Application Load Balancer. Which AWS service should the developer use to ensure session data is not lost if an instance fails?

A.Amazon S3
B.Amazon DynamoDB
C.Amazon ElastiCache
D.Amazon RDS
AnswerC

ElastiCache provides a managed in-memory cache, ideal for storing session state externally to maintain statelessness.

Why this answer

Option A (ElastiCache) is correct because it provides a managed in-memory cache that can store session state externally, making the application stateless. Option B (S3) is designed for object storage, not low-latency session storage. Option C (RDS) is a relational database, which adds latency and complexity for session state.

Option D (DynamoDB) can also store session state but is not the simplest or most cost-effective for this use case; ElastiCache is more common for session caching.

206
MCQmedium

A developer is deploying a serverless application using AWS SAM. The application includes an API Gateway endpoint that invokes a Lambda function. The developer wants to pass a stage name as a parameter to the Lambda function. How should the developer define the Lambda function's environment variable in the SAM template?

A.Use the parameter reference 'Ref: StageName' in the environment variable mapping.
B.Define the environment variable as 'Stage: dev' in the Lambda function configuration.
C.Use 'Fn::GetAtt: [AWS::StackName, Outputs.StageName]' to get the stage name.
D.Use 'Fn::ImportValue: StageName' to import from another stack.
AnswerA

Ref can reference a parameter defined in the template.

Why this answer

Option B is correct because the SAM template can use the Ref function to reference a parameter and assign it to an environment variable. Option A is wrong because it uses hardcoded value. Option C is wrong because AWS::StackName would give the stack name, not the stage parameter.

Option D is wrong because GetAtt is not used for parameters.

207
MCQmedium

A company is developing a serverless application using AWS Lambda and API Gateway. The application needs to process user uploads to Amazon S3. The Lambda function must be invoked asynchronously after an object is uploaded to an S3 bucket. Which configuration should the developer use to invoke the Lambda function?

A.Configure the S3 bucket to send events to Lambda by adding a Lambda trigger in the S3 bucket properties.
B.Configure the S3 bucket to send events to an Amazon SQS queue and have Lambda poll the queue.
C.Configure the S3 bucket to send events to Amazon CloudWatch Events and have CloudWatch invoke Lambda.
D.Configure the S3 bucket to send events to an Amazon API Gateway endpoint that triggers the Lambda function.
AnswerA

S3 can directly invoke Lambda asynchronously using event notifications.

Why this answer

S3 can send event notifications to Lambda when an object is created. The Lambda function must be configured with a resource-based policy allowing S3 to invoke it. S3 event notifications are asynchronous.

API Gateway is not needed. CloudWatch Events can monitor but not directly trigger on S3 object creation. S3 batch operations are for large-scale batch jobs.

208
MCQhard

A developer is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to send messages to connected clients. The developer notices that the 'connectionId' changes every time a client reconnects. How should the developer store the mapping between user identity and connectionId?

A.Use Amazon ElastiCache to store the mapping in memory.
B.Use Amazon DynamoDB to store the mapping, with user identity as the partition key and connectionId as an attribute.
C.Use Amazon RDS to store the mapping in a relational database.
D.Use Amazon S3 to store the mapping as a JSON file.
AnswerB

DynamoDB is ideal for this use case due to its low latency and scalability.

Why this answer

Option A is correct because DynamoDB provides fast, scalable storage for the connectionId mapping. Option B is wrong because ElastiCache is ephemeral and not ideal for persistence. Option C is wrong because S3 is not designed for low-latency lookups.

Option D is wrong because RDS adds overhead and cost for this simple use case.

209
MCQeasy

A developer is creating an AWS Lambda function to process events from an Amazon SQS queue. The function must process each message exactly once and in order. Which SQS queue type should the developer use?

A.Standard queue.
B.FIFO queue.
C.Dead-letter queue.
D.Delay queue.
AnswerB

Correct. FIFO queues provide first-in-first-out delivery and exactly-once processing, satisfying the requirements.

Why this answer

The correct answer is B, FIFO queue. FIFO (First-In-First-Out) queues guarantee exactly-once processing and preserve the order of messages, which is required by the use case. Standard queues offer at-least-once delivery and do not guarantee order, making them unsuitable for this requirement.

Exam trap

The trap here is that candidates often confuse the 'exactly-once' and 'in-order' requirements with Standard queues, assuming they can achieve this with idempotent processing, but Standard queues explicitly do not guarantee order and can deliver duplicates.

How to eliminate wrong answers

Option A is wrong because Standard queues provide at-least-once delivery, meaning a message can be delivered more than once, and they do not guarantee message order. Option C is wrong because a Dead-letter queue is not a primary queue type; it is a secondary queue used to store messages that failed processing, not to process events in order with exactly-once semantics. Option D is wrong because a Delay queue is a feature of both Standard and FIFO queues that introduces a message delivery delay, but it does not provide exactly-once processing or ordering guarantees.

210
MCQeasy

A developer is building a serverless application using AWS Lambda to process files uploaded to an S3 bucket. The Lambda function needs to read the uploaded file, transform it, and write the result to a DynamoDB table. Which IAM policy statement should be attached to the Lambda execution role?

A.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:PutItem"],"Resource":"*"}
B.{"Effect":"Allow","Action":["s3:PutObject","dynamodb:PutItem"],"Resource":"*"}
C.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:UpdateItem"],"Resource":"*"}
D.{"Effect":"Allow","Action":["s3:GetObject","dynamodb:GetItem"],"Resource":"*"}
AnswerA

Correct actions for reading from S3 and writing to DynamoDB.

Why this answer

The Lambda execution role needs permissions for S3 GetObject and DynamoDB PutItem. Option C provides both. Option A lacks DynamoDB write.

Option B lacks S3 read. Option D lacks S3 read and uses incorrect DynamoDB action.

211
MCQhard

A development team is building a real-time chat application using Amazon API Gateway WebSocket APIs and AWS Lambda. The application needs to maintain a connection to each user and broadcast messages to all connected clients. Which approach should the developer use to scale the application efficiently?

A.Store connection IDs in Amazon DynamoDB and use the API Gateway Management API to send messages to all connections.
B.Use Amazon ElastiCache to cache connection IDs and have Lambda send messages using the Redis pub/sub feature.
C.Use Amazon SNS to publish messages to all connected clients via the WebSocket API.
D.Use Amazon SQS to queue messages and have Lambda poll the queue to send messages to all connections.
AnswerA

DynamoDB stores connection IDs, and the Management API sends messages to each connection.

Why this answer

API Gateway WebSocket APIs maintain persistent connections. When a client sends a message, API Gateway invokes a Lambda function. To broadcast to all connected clients, the Lambda function needs to call the API Gateway Management API to send messages to each connection.

The connection IDs must be stored in a shared data store like DynamoDB. The other options are not suitable: SQS is for message queuing, not broadcasting; SNS is pub/sub but doesn't integrate directly with WebSocket connections; ElastiCache is not designed for this use case.

212
MCQmedium

A company runs a batch processing job on Amazon ECS using Fargate. The job processes files from an S3 bucket and writes results to another S3 bucket. The job runs once per day and takes about 30 minutes. The company wants to reduce costs by stopping the ECS service when not in use. Which solution should the developer implement?

A.Use an AWS Lambda function to run the job and configure a scheduled event in Amazon EventBridge.
B.Use AWS Batch with a Fargate launch type and schedule the job with Amazon EventBridge.
C.Use Amazon ECS Service Auto Scaling to scale the service down to zero tasks when not in use.
D.Use an Amazon EC2 Auto Scaling group to launch an instance, run the job, and then terminate.
AnswerB

AWS Batch runs the job and scales resources to zero when idle.

Why this answer

AWS Batch is designed for batch computing jobs. It can launch Fargate tasks, run the job, and then stop the resources automatically. The developer can define a job queue and job definition, and schedule the job with Amazon EventBridge (CloudWatch Events).

AWS Step Functions can orchestrate but is more complex. ECS Scheduled Tasks can also work, but AWS Batch is purpose-built for this and handles retries, dependencies, and cost optimization better. The other options are not appropriate: EC2 Auto Scaling scales EC2 instances, not Fargate tasks; Lambda has a 15-minute timeout; ECS Service Auto Scaling keeps desired count at least 1, not 0.

213
MCQeasy

A developer is deploying a containerized application on Amazon ECS using Fargate. The application needs to store sensitive configuration data, including database passwords, that must be rotated regularly. Which service should the developer use to manage these secrets securely?

A.Amazon S3 with server-side encryption
B.AWS Secrets Manager
C.Amazon DynamoDB with server-side encryption
D.AWS Systems Manager Parameter Store
AnswerB

Secrets Manager provides automatic secret rotation and fine-grained access control.

Why this answer

Option C is correct because AWS Secrets Manager is designed to store and rotate secrets automatically. Option A is wrong because SSM Parameter Store can store secrets but does not natively rotate them. Option B is wrong because DynamoDB is not a secret management service.

Option D is wrong because S3 can store encrypted objects but requires custom rotation logic.

214
MCQhard

A developer runs the AWS CLI command shown. The Lambda function returns a 200 status code but the output file is null and the response includes FunctionError: Unhandled. What does this indicate?

A.The Lambda function timed out.
B.The Lambda function threw an unhandled exception.
C.The payload was too large for synchronous invocation.
D.The Lambda function was not found.
AnswerB

FunctionError: Unhandled indicates an unhandled exception.

Why this answer

Option A is correct because 'Unhandled' means the function threw an exception that was not caught, and the output is null because the function returned an error. Option B is wrong because 200 indicates invocation succeeded. Option C is wrong because no such error.

Option D is wrong because the function was invoked.

215
MCQmedium

A company has a DynamoDB table that stores order data. The table has a partition key of OrderID and a sort key of OrderDate. The company frequently queries orders by CustomerID, which is not a key attribute. The queries are slow and consume a lot of read capacity. Which design change would MOST improve query performance?

A.Increase the provisioned read capacity for the table.
B.Create a Global Secondary Index (GSI) with CustomerID as the partition key.
C.Change the table's primary key to use CustomerID as the partition key.
D.Use a FilterExpression on the CustomerID attribute in a Scan operation.
AnswerB

GSI allows efficient querying on CustomerID.

Why this answer

Queries by non-key attributes require a Scan, which is inefficient. Creating a Global Secondary Index with CustomerID as the partition key allows efficient querying. Changing the table's key would break existing applications.

Using FilterExpression still scans the table. Increasing read capacity only addresses throttling, not performance of scans.

216
MCQeasy

A developer wants to upload a large file (5 GB) to an Amazon S3 bucket using the AWS SDK. Which approach is MOST efficient and resilient?

A.Generate a presigned URL and use a third-party tool to upload.
B.Invoke an AWS Lambda function to upload the file.
C.Use the Multipart Upload API to upload the file in parts.
D.Use the PutObject API call with the entire file.
AnswerC

Multipart Upload is designed for large objects.

Why this answer

Option C is correct because the S3 Multipart Upload API is designed for large objects, providing better throughput and resilience. Option A is wrong because it does not support objects over 5 GB. Option B is wrong because presigned URLs don't provide multipart upload benefits.

Option D is wrong because Lambda has a payload limit.

217
MCQeasy

A developer has an Amazon S3 bucket containing private user documents. The application must generate a time-limited URL for users to download their own documents without requiring the users to have AWS credentials. Which solution should the developer use?

A.Use CloudFront signed URLs with an origin access identity (OAI) to restrict access to the S3 bucket.
B.Create a pre-signed URL for each object using the AWS SDK with an appropriate expiration time.
C.Set a bucket policy that allows public read access for the specific users based on their IP addresses.
D.Provide the users with IAM user credentials that have read access to the bucket.
AnswerB

Pre-signed URLs grant temporary access to a specific S3 object. The URL is generated using the developer's AWS credentials and expires after the specified duration, providing secure time-limited access.

Why this answer

Pre-signed URLs allow temporary, time-limited access to private S3 objects without requiring the user to have AWS credentials. The developer generates the URL server-side using the AWS SDK, embedding an expiration time, and the user can download the object directly via HTTP GET. This meets the requirement of granting ephemeral access to specific documents for unauthenticated users.

Exam trap

The trap here is that candidates often confuse pre-signed URLs with CloudFront signed URLs, thinking the CDN is required for time-limited access, but pre-signed URLs work directly with S3 and are simpler for single-object, time-limited downloads without needing CloudFront.

How to eliminate wrong answers

Option A is wrong because CloudFront signed URLs with OAI are used to control access at the CDN edge, but they still require the developer to manage CloudFront distributions and signing keys; the question asks for a simpler, direct S3 solution without requiring users to have AWS credentials. Option C is wrong because setting a bucket policy for public read access based on IP addresses would expose the bucket to all users from those IPs, violating the requirement for per-user, per-document private access and not providing time-limited URLs. Option D is wrong because providing IAM user credentials to end users is a security anti-pattern; it would require distributing long-term credentials, violating the principle of least privilege and the requirement that users not have AWS credentials.

218
MCQmedium

A developer is building a serverless application using AWS Lambda to process events from Amazon S3. The Lambda function needs to persist data to an Amazon RDS MySQL database. Which of the following is the MOST secure way to pass database credentials to the Lambda function?

A.Store the credentials in an S3 bucket with server-side encryption and read them in the Lambda function.
B.Use IAM database authentication for MySQL and assign an IAM role to the Lambda function.
C.Hardcode the credentials as environment variables in the Lambda function configuration.
D.Store the credentials in AWS Secrets Manager and retrieve them in the Lambda function code.
AnswerD

Secrets Manager provides secure storage and automatic rotation.

Why this answer

Option A is correct because using AWS Secrets Manager allows automatic rotation and secure retrieval of secrets without hardcoding. Option B is wrong because environment variables are visible in the Lambda console. Option C is wrong because storing in S3 is less secure and requires additional permissions.

Option D is wrong because IAM roles are for AWS services, not database credentials.

219
MCQeasy

A developer is implementing a REST API using Amazon API Gateway and AWS Lambda. The API should return a static response from an Amazon S3 bucket for a specific GET endpoint without invoking a Lambda function. Which API Gateway integration type should be used?

A.MOCK
B.HTTP_PROXY
C.AWS_PROXY
D.AWS
AnswerB

Forwards request to an HTTP endpoint like S3 website.

Why this answer

Option C is correct because the HTTP proxy integration forwards requests directly to an HTTP endpoint, such as an S3 static website. Option A is wrong because MOCK returns a static response but does not integrate with S3. Option B is wrong because AWS proxy integrates with Lambda.

Option D is wrong because it's for private integrations.

220
MCQmedium

A developer is building a serverless application using AWS Step Functions. The workflow must execute hundreds of thousands of short-lived tasks per day, each taking less than 30 seconds. The tasks need to run in parallel, and a small number of duplicate executions are acceptable. Which type of Step Functions workflow should the developer choose?

A.Standard Workflow
B.Express Workflow
C.AWS Lambda function with synchronous invocation
D.Amazon Simple Workflow Service (SWF)
AnswerB

Express Workflows are optimized for high-volume, short-duration executions (under 5 minutes) with at-least-once delivery. They can handle hundreds of thousands of executions per second at a lower cost, making them suitable for this use case.

Why this answer

Express Workflows are designed for high-volume, short-duration (under 5 minutes) event-processing workloads, executing hundreds of thousands of state transitions per second with at-least-once semantics. Since the tasks are short-lived (under 30 seconds), run in parallel, and tolerate a small number of duplicate executions, Express Workflow is the correct choice because it offers lower cost and higher throughput than Standard Workflow, which guarantees exactly-once execution and is better suited for long-running, auditable workflows.

Exam trap

The trap here is that candidates often assume Standard Workflow is always the default choice for Step Functions, overlooking the specific requirements for high throughput, short duration, and tolerance for duplicates that make Express Workflow the correct answer.

How to eliminate wrong answers

Option A is wrong because Standard Workflow is designed for long-running, durable workflows with exactly-once execution and a maximum execution duration of one year, making it over-provisioned and more expensive for high-volume, short-lived tasks where duplicate executions are acceptable. Option C is wrong because AWS Lambda synchronous invocation is not a Step Functions workflow type; it is a compute invocation pattern that lacks the orchestration, state management, and parallel execution capabilities provided by Step Functions. Option D is wrong because Amazon Simple Workflow Service (SWF) is a legacy service for long-running, human-in-the-loop workflows, not optimized for high-throughput, short-lived automated tasks, and it requires managing workers and deciders, adding operational overhead.

221
Multi-Selecteasy

Which TWO AWS services can be used to trigger an AWS Lambda function asynchronously?

Select 2 answers
A.Amazon EventBridge
B.Amazon API Gateway (REST API)
C.Amazon CloudWatch Events (scheduled events)
D.Amazon S3 (bucket notifications)
E.AWS Step Functions (synchronous)
AnswersA, D

EventBridge invokes Lambda asynchronously for events.

Why this answer

Options B and D are correct. S3 can invoke Lambda asynchronously on object create events. EventBridge can invoke Lambda asynchronously in response to events.

Option A is synchronous invocation. Option C is for scheduled events (could be considered asynchronous, but EventBridge is a more direct answer). Option E is synchronous invocation.

222
Multi-Selecthard

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The application must be highly available across multiple Availability Zones. The developer needs to configure the ECS service. Which THREE configuration options are required? (Choose THREE.)

Select 3 answers
A.Create an Auto Scaling group for the Fargate tasks.
B.Set the desired number of tasks to at least 2.
C.Associate an Application Load Balancer with the ECS service.
D.Configure the service to place tasks in at least two subnets in different Availability Zones.
E.Use a DynamoDB table to store task state.
AnswersB, C, D

Multiple tasks provide redundancy.

Why this answer

Option A is correct because a load balancer is needed to distribute traffic across tasks in multiple AZs. Option C is correct because setting the number of tasks to at least 2 ensures redundancy. Option D is correct because spreading tasks across multiple AZs ensures high availability.

Option B is wrong because ECS does not support Auto Scaling groups with Fargate. Option E is wrong because a DynamoDB table is not needed for ECS service configuration.

223
MCQeasy

A developer needs to analyze real-time streaming data from thousands of devices. The data consists of JSON messages that must be processed and stored in Amazon S3. Which AWS service should the developer use to ingest and buffer the streaming data?

A.Amazon S3
B.AWS Lambda
C.Amazon Simple Queue Service (SQS)
D.Amazon Kinesis Data Streams
AnswerD

Designed for real-time data ingestion.

Why this answer

Option A is correct because Amazon Kinesis Data Streams is designed for real-time data ingestion and can buffer data. Option B is wrong because Lambda is for compute, not ingestion. Option C is wrong because SQS is for message queues, not high-throughput streaming.

Option D is wrong because S3 is storage, not ingestion.

224
MCQhard

A developer deploys this CloudFormation template. The Lambda function fails to access the DynamoDB table 'MyTable'. What is the most likely cause?

A.The Lambda execution role lacks DynamoDB permissions.
B.The runtime nodejs18.x is incorrect for this handler.
C.The S3 bucket 'my-bucket' does not exist.
D.The environment variable TABLE_NAME is misspelled.
AnswerA

The role ARN is provided but its policy must include DynamoDB actions.

Why this answer

Option B is correct because the Lambda execution role does not include dynamodb: permissions. Option A is wrong because the environment variable is correctly set. Option C is wrong because the runtime is supported.

Option D is wrong because S3 bucket and key are specified correctly.

225
MCQmedium

A REST API requires request validation before invoking Lambda to reduce unnecessary function executions for malformed payloads. Where should validation be configured?

A.Inside the Lambda timeout setting
B.In the IAM execution role
C.In the S3 bucket policy
D.In API Gateway request models and validators
AnswerD

Correct for the stated requirement.

Why this answer

API Gateway provides built-in request validation using models (JSON Schema) and validators. By configuring validation at the API Gateway layer, malformed payloads are rejected before they reach the Lambda function, reducing unnecessary invocations and associated costs. This is the correct approach because API Gateway acts as the entry point for REST APIs and can enforce payload structure without invoking the backend.

Exam trap

The trap here is that candidates may confuse Lambda's execution role or timeout settings with request validation, not realizing that API Gateway is the correct layer to filter malformed payloads before they trigger Lambda.

How to eliminate wrong answers

Option A is wrong because the Lambda timeout setting controls how long a function can run, not whether it is invoked; it cannot prevent invocation for malformed payloads. Option B is wrong because the IAM execution role defines permissions for the Lambda function to access other AWS services, not request validation. Option C is wrong because S3 bucket policies control access to S3 objects, not API request validation; they are unrelated to REST API payload checking.

← PreviousPage 3 of 7 · 518 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Dev AWS Services questions.